This is mentioned in the submission. The argument is as follows: If you're vague on the login page but still do the validation on the signup page, the information leakage happens regardless, just on the signup page rather than login, as most websites only allow one account per email.

“If you’re trying to prevent this information leakage, you also need to consider the following things” would be a much better conclusion to arrive at. Services that considered that problem just let you sign up twice and send you an email saying “you already seem to have an account.” As a positive side effect, this also notifies the account owner.

I just finish the registration process as normal but email the email that someone is trying to sign up again and if it is them.

The user who signs up won’t notice anything.

That's a good argument for not letting the signup page leak information.

The article literally tells how the username can already be validated.

> The article literally tells how the username can already be validated.

The article says how many websites can allow that. This has nothing to do with the theory. This identifies poor implementations. These implementations trade reducing friction in signups, for some user security.

There's nothing wrong with "Invalid Username or Password" (eg ssh, et al), unless the security mechanism is self-sabotaged.

Again, how is that leakage, if you can just try registering a new account and see if that username or email already exists?

... which is a fixable leakage as well, as discussed in other threads in this discussion.

Neither login nor sing up form should tell you that the account already exists.

Do most people who are throwing usernames and passwords at websites ... do that?

If they could benefit from the 'information leakage' of knowing a username exists, they would do.

If they don't - then maybe this 'information leakage' worry is obsolete security advice. There's loads of obsolete security advice around.

(of course there might be other, non-account-security-related reasons to make it impossible to know if an account exists. It's one thing if HN's login form reveals that user duxup exists, it's another if find-an-affair-partner.com reveals the same thing)

>There's loads of obsolete security advice around.

Yeah that's kinda what I'm wondering about. It's possible that most of your security issues are just folks credential stuffing in the simplest way, if that's the case then the whole registration thing isn't really a realistic concern.

Hell when I was in networking and if you did your best to just block traffic to / from specific regions / nations ... you eliminated a huge % of malicious traffic. For the guy thinking deeply about security that seems odd / not specific enough, but in the real world it works...

There's another option, where trying to sign up takes more effort than trying to log in and leaves bigger red flags, so they won't use that method.

You could have bothered to read the article before posting the most obvious, dismissive thing.

How big of an issue is it to leak this information? Disregarding the fact that many sites easily leak this info, how much security is actually gained by obfuscating what usernames are taken?

It seems to me like two factor authentication, rate limiting logins, good password rules, and properly securing passwords provide much better security then obfuscating usernames. There's always a balance between security and usability. I don't think hiding username availability provides enough security to justify the harm in the user experience.

If you just say "invalid username+password combination", then you can have both security and a correct message.

True, but the story covers that aspect - many systems provide other ways to check if a username exists (e.g. trying to register a new account, or sending an email to a gmail address, and so on)